4 import csv, time, argparse;
7 from random import randrange
9 from GoodFETMCPCAN import GoodFETMCPCAN;
10 from GoodFETMCPCANCommunication import GoodFETMCPCANCommunication
11 from intelhex import IntelHex;
18 class experiments(GoodFETMCPCANCommunication):
20 This class provides methods for reverse-engineering the protocols on the CAN bus network
21 via the GOODTHOPTER10 board, U{http://goodfet.sourceforge.net/hardware/goodthopter10/}
25 def __init__(self, data_location = "../../contrib/ThayerData/"):
28 @type data_location: string
29 @param data_location: path to the folder where data will be stored
31 GoodFETMCPCANCommunication.__init__(self, data_location)
32 #super(experiments,self).__init(self)
36 def filterStdSweep(self, freq, low, high, time = 5):
38 This method will sweep through the range of standard ids given from low to high.
39 This will actively filter for 6 ids at a time and sniff for the given amount of
40 time in seconds. If at least one message is read in then it will go individually
41 through the 6 ids and sniff only for that id for the given amount of time.
42 This does not save any sniffed packets.
45 @param freq: The frequency at which the bus is communicating
47 @param low: The low end of the id sweep
49 @param high: The high end of the id sweep
51 @param time: Sniff time for each trial. Default is 5 seconds
53 @rtype: list of numbers
54 @return: A list of all IDs found during the sweep.
58 self.client.MCPsetup()
59 for i in range(low, high+1, 6):
60 print "sniffing id: %d, %d, %d, %d, %d, %d" % (i,i+1,i+2,i+3,i+4,i+5)
61 comment= "sweepFilter: "
62 #comment = "sweepFilter_%d_%d_%d_%d_%d_%d" % (i,i+1,i+2,i+3,i+4,i+5)
63 description = "Running a sweep filer for all the possible standard IDs. This run filters for: %d, %d, %d, %d, %d, %d" % (i,i+1,i+2,i+3,i+4,i+5)
64 count = self.sniff(freq=freq, duration = time, description = description,comment = comment, standardid = [i, i+1, i+2, i+3, i+4, i+5])
66 for j in range(i,i+5):
67 comment = "sweepFilter: "
68 #comment = "sweepFilter: %d" % (j)
69 description = "Running a sweep filer for all the possible standard IDs. This run filters for: %d " % j
70 count = self.sniff(freq=freq, duration = time, description = description,comment = comment, standardid = [j, j, j, j])
76 def sweepRandom(self, freq, number = 5, time = 5):
78 This method will choose random values to listen out of all the possible standard ids up to
79 the given number. It will sniff for the given amount of time on each set of ids on the given
80 frequency. Sniffs in groups of 6 but when at least one message is read in it will go through all
81 six individually before continuing. This does not save any sniffed packets.
84 @param freq: The frequency at which the bus is communicating
86 @param number: High end of the possible ids. This will define a range from 0 to number that the ids will be chosen from
88 @param time: Sniff time for each trial. Default is 5 seconds
90 @rtype: list of numbers, list of numbers
91 @return: A list of all IDs found during the sweep and a list of all the IDs that were listened for throughout the test
93 msgIDs = [] #standard IDs that we have observed during run
94 ids = [] #standard IDs that have been tried
96 self.client.MCPsetup()
97 for i in range(0,number+1,6):
99 comment = "sweepFilter: "
100 for j in range(0,6,1):
102 #comment += "_%d" % id
106 description = "Running a sweep filer for all the possible standard IDs. This runs the following : " + comment
107 count = self.sniff(freq=freq, duration=time, description=description, comment = comment, standardid = idsTemp)
109 for element in idsTemp:
110 #comment = "sweepFilter: %d" % (element)
111 comment="sweepFilter: "
112 description = "Running a sweep filer for all the possible standard IDs. This run filters for: %d " % element
113 count = self.sniff(freq=freq, duration = time, description = description,comment = comment, standardid = [element, element, element])
119 def rtrSweep(self,freq,lowID,highID, attempts = 1,duration = 1, verbose = True):
121 This method will sweep through the range of ids given by lowID to highID and
122 send a remote transmissions request (RTR) to each id and then listen for a response.
123 The RTR will be repeated in the given number of attempts and will sniff for the given duration
124 continuing to the next id.
126 Any messages that are sniffed will be saved to a csv file. The filename will be stored in the DATA_LOCATION folder
127 with a filename that is the date (YYYYMMDD)_rtr.csv. If the file already exists it will append to the end of the file
128 The format will follow that of L{GoodFETMCPCANCommunication.sniff} in that the columns will be as follows:
129 1. timestamp: as floating point number
130 2. error boolean: 1 if there was an error detected of packet formatting (not exhaustive check). 0 otherwise
131 3. comment tag: comment about experiments as String
132 4. duration: Length of overall sniff
133 5. filtering: 1 if there was filtering. 0 otherwise
140 @param freq: The frequency at which the bus is communicating
142 @param lowID: The low end of the id sweep
143 @type highID: integer
144 @param highID: The high end of the id sweep
145 @type attempts: integer
146 @param attempts: The number of times a RTR will be repeated for a given standard id
147 @type duration: integer
148 @param duration: The length of time that it will listen to the bus after sending an RTR
149 @type verbose: boolean
150 @param verbose: When true, messages will be printed out to the terminal
153 @return: Does not return anything
155 #set up file for writing
156 now = datetime.datetime.now()
157 datestr = now.strftime("%Y%m%d")
158 path = self.DATA_LOCATION+datestr+"_rtr.csv"
160 outfile = open(filename,'a');
161 dataWriter = csv.writer(outfile,delimiter=',');
162 dataWriter.writerow(['# Time Error Bytes 1-13']);
163 dataWriter.writerow(['#' + "rtr sweep from %d to %d"%(lowID,highID)])
166 #self.client.serInit()
167 #self.spitSetup(freq)
170 for i in range(lowID,highID+1, 1):
171 self.client.serInit()
172 self.spitSetup(freq) #reset the chip to try and avoid serial timeouts
174 standardid = [i, i, i, i]
175 self.addFilter(standardid, verbose = True)
177 #### split SID into different areas
178 SIDlow = (standardid[0] & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5
179 SIDhigh = (standardid[0] >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0
181 packet = [SIDhigh, SIDlow, 0x00,0x00,0x40]
182 dataWriter.writerow(["#requested id %d"%i])
183 #self.client.poke8(0x2C,0x00); #clear the CANINTF register; we care about bits 0 and 1 (RXnIF flags) which indicate a message is being held
185 packet1 = self.client.rxpacket();
186 packet2 = self.client.rxpacket();
188 self.client.txpacket(packet)
189 ## listen for 2 packets. one should be the rtr we requested the other should be
190 ## a new packet response
191 starttime = tT.time()
192 while ((time.time() - starttime) < duration): #listen for the given duration time period
193 packet = self.client.rxpacket()
196 # we have sniffed a packet, save it
198 row.append("%f"%time.time()) #timestamp
199 row.append(0) #error flag (not checkign)
200 row.append("rtrRequest_%d"%i) #comment
201 row.append(duration) #sniff time
202 row.append(1) # filtering boolean
204 row.append("%02x"%ord(byte));
205 dataWriter.writerow(row)
206 print self.client.packet2parsedstr(packet)
208 # for each trial repeat
209 while( trial <= attempts):
210 print "trial: ", trial
211 self.client.MCPrts(TXB0=True);
212 starttime = time.time()
213 # this time we will sniff for the given amount of time to see if there is a
214 # time till the packets come in
215 while( (time.time()-starttime) < duration):
216 packet=self.client.rxpacket();
220 row.append("%f"%time.time()) #timestamp
221 row.append(0) #error flag (not checking)
222 row.append("rtrRequest_%d"%i) #comment
223 row.append(duration) #sniff time
224 row.append(1) # filtering boolean
226 row.append("%02x"%ord(byte));
227 dataWriter.writerow(row)
228 print self.client.packet2parsedstr(packet)
230 print "sweep complete"
233 # This method will do generation based fuzzing on the id given in standard id
234 # dbLimits is a dictionary of the databytes
235 # dbLimits['db0'] = [low, High]
237 # dbLimits['db7'] = [low, High]
238 # where low is the low end of values for the fuzz, high is the high end value
239 # period is the time between sending packets in milliseconds, writesPerFuzz is the times the
240 # same fuzzed packet will be injecetez. Fuzzes is the number of different packets to be injected
241 def generationFuzzer(self,freq, standardIDs, dbLimits, period, writesPerFuzz, Fuzzes):
243 This method will perform generation based fuzzing on the bus. The method will inject
244 properly formatted, randomly generated messages at a given period for a I{writesPerFuzz}
245 number of times. The packets that are injected into the bus will all be saved in the following path
246 DATALOCATION/InjectedData/(today's date (YYYYMMDD))_GenerationFuzzedPackets.csv. An example filename would be 20130222_GenerationFuzzedPackets.csv
247 Where DATALOCATION is provided when the class is initiated. The data will be saved as integers.
248 Each row will be formatted in the following form::
249 row = [time of injection, standardID, 8, db0, db1, db2, db3, db4, db5, db6, db7]
252 @param freq: The frequency at which the bus is communicating
253 @type standardIDs: list of integers
254 @param standardIDs: List of standard IDs the user wishes to fuzz on. An ID will randomly be chosen
255 with every new random packet generated. If only 1 ID is input in the list then it will
256 only fuzz on that one ID.
257 @type dbLimits: dictionary
258 @param dbLimits: This is a dictionary that holds the limits of each bytes values. Each value in the dictionary will be a list
259 containing the lowest possible value for the byte and the highest possible value. The form is shown below::
261 dbLimits['db0'] = [low, high]
262 dbLimits['db1'] = [low, high]
264 dbLimits['db7'] = [low, high]
267 @param period: The time gap between packet inejctions given in milliseconds
268 @type writesPerFuzz: integer
269 @param writesPerFuzz: This will be the number of times that each randomly generated packet will be injected onto the bus
270 before a new packet is generated
271 @type Fuzzes: integer
272 @param Fuzzes: The number of packets to be generated and injected onto bus
275 @return: This method does not return anything
278 #print "Fuzzing on standard ID: %d" %standardId
279 self.client.serInit()
281 packet = [0,0,0x00,0x00,0x08,0,0,0,0,0,0,0,0] #empty packet template
284 #get folder information (based on today's date)
285 now = datetime.datetime.now()
286 datestr = now.strftime("%Y%m%d")
287 path = self.DATA_LOCATION+"InjectedData/"+datestr+"_GenerationFuzzedPackets.csv"
289 outfile = open(filename,'a');
290 dataWriter = csv.writer(outfile,delimiter=',');
291 #dataWriter.writerow(['# Time Error Bytes 1-13']);
292 #dataWriter.writerow(['#' + description])
294 numIds = len(standardIDs)
295 fuzzNumber = 0; #: counts the number of packets we have generated
296 while( fuzzNumber < Fuzzes):
297 id_new = standardIDs[random.randint(0,numIds-1)]
299 #### split SID into different regs
300 SIDhigh = (id_new >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0
301 SIDlow = (id_new & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5
305 #generate a fuzzed packet
306 for i in range(0,8): # for each data byte, fuzz it
308 limits = dbLimits[idx]
309 value = random.randint(limits[0],limits[1]) #generate pseudo-random integer value
312 #put a rough time stamp on the data and get all the data bytes
313 row = [tT.time(), id_new,8] # could make this 8 a variable
315 for i in range(5,13):
316 row.append(packet[i])
317 msg += " %d"%packet[i]
319 dataWriter.writerow(row)
320 self.client.txpacket(packet)
321 tT.sleep(period/1000)
323 #inject the packet the given number of times.
324 for i in range(1,writesPerFuzz):
325 self.client.MCPrts(TXB0=True)
326 tT.sleep(period/1000)
328 print "Fuzzing Complete"
329 SIDhigh = (1056 >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0
330 SIDlow = (1056 & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5
331 packet = [SIDhigh, SIDlow, 0, 0, 8, 65, 255, 32, 120, 0, 0, 1, 247]
332 self.client.txpacket(packet)
333 for i in range(0,100):
334 self.client.MCPrts(TXB0=True)
338 def generalFuzz(self,freq, Fuzzes, period, writesPerFuzz):
340 The method will inject properly formatted, randomly generated messages at a given period for a I{writesPerFuzz}
341 number of times. A new random standard id will be chosen with each newly generated packet. IDs will be chosen from the full
342 range of potential ids ranging from 0 to 4095. The packets that are injected into the bus will all be saved in the following path
343 DATALOCATION/InjectedData/(today's date (YYYYMMDD))_GenerationFuzzedPackets.csv. An example filename would be 20130222_GenerationFuzzedPackets.csv
344 Where DATALOCATION is provided when the class is initiated. The data will be saved as integers.
345 Each row will be formatted in the following form::
346 row = [time of injection, standardID, 8, db0, db1, db2, db3, db4, db5, db6, db7]
349 @param freq: The frequency at which the bus is communicating
351 @param period: The time gap between packet inejctions given in milliseconds
352 @type writesPerFuzz: integer
353 @param writesPerFuzz: This will be the number of times that each randomly generated packet will be injected onto the bus
354 before a new packet is generated
355 @type Fuzzes: integer
356 @param Fuzzes: The number of packets to be generated and injected onto bus
359 @return: This method does not return anything
362 #print "Fuzzing on standard ID: %d" %standardId
363 self.client.serInit()
365 packet = [0,0,0x00,0x00,0x08,0,0,0,0,0,0,0,0] #empty template
367 #get folder information (based on today's date)
368 now = datetime.datetime.now()
369 datestr = now.strftime("%Y%m%d")
370 path = self.DATA_LOCATION+"InjectedData/"+datestr+"_GenerationFuzzedPackets.csv"
372 outfile = open(filename,'a');
373 dataWriter = csv.writer(outfile,delimiter=',');
374 #dataWriter.writerow(['# Time Error Bytes 1-13']);
375 #dataWriter.writerow(['#' + description])
377 fuzzNumber = 0; #: counts the number of packets we have generated
378 while( fuzzNumber < Fuzzes):
379 #generate new random standard id in the full range of possible values
380 id_new = random.randint(0,4095)
382 #### split SID into different regs
383 SIDhigh = (id_new >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0
384 SIDlow = (id_new & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5
388 #generate a fuzzed packet
389 for i in range(0,8): # for each data byte, fuzz it
392 value = random.randint(0, 255) #generate pseudo-random integer value
395 #put a rough time stamp on the data and get all the data bytes
396 row = [time.time(), id_new,8]
397 """@todo: allow for varied packet lengths"""
399 for i in range(5,13):
400 row.append(packet[i])
401 msg += " %d"%packet[i]
403 dataWriter.writerow(row)
404 self.client.txpacket(packet)
405 time.sleep(period/1000)
407 #inject the packet the given number of times.
408 for i in range(1,writesPerFuzz):
409 self.client.MCPrts(TXB0=True)
410 time.sleep(period/1000)
412 print "Fuzzing Complete"
415 # assumes 8 byte packets
416 def packetRespond(self,freq, time, repeats, period, responseID, respondPacket,listenID, listenPacket = None):
418 This method will allow the user to listen for a specific packet and then respond with a given message.
419 If no listening packet is included then the method will only listen for the id and respond with the specified
420 packet when it receives a message from that id. This process will continue for the given amount of time (in seconds).
421 and with each message received that matches the listenPacket and ID the transmit message will be sent the I{repeats} number
422 of times at the specified I{period}. This message assumes a packet length of 8 for both messages, although the listenPacket can be None
425 @param freq: Frequency of the CAN bus
427 @param time: Length of time to perform the packet listen/response in seconds.
428 @type repeats: Integer
429 @param repeats: The number of times the response packet will be injected onto the bus after the listening
430 criteria has been met.
432 @param period: The time interval between messages being injected onto the CAN bus. This will be specified in milliseconds
433 @type responseID: Integer
434 @param responseID: The standard ID of the message that we want to inject
435 @type respondPacket: List of integers
436 @param respondPacket: The data we wish to inject into the bus. In the format where respondPacket[0] = databyte 0 ... respondPacket[7] = databyte 7
437 This assumes a packet length of 8.
438 @type listenID: Integer
439 @param listenID: The standard ID of the messages that we are listening for. When we read the correct message from this ID off of the bus, the method will
440 begin re-injecting the responsePacket on the responseID
441 @type listenPacket: List of Integers
442 @param listenPacket: The data we wish to listen for before we inject packets. This will be a list of the databytes, stored as integers such that
443 listenPacket[0] = data byte 0, ..., listenPacket[7] = databyte 7. This assumes a packet length of 8. This input can be None and this
444 will lead to the program only listening for the standardID and injecting the response as soon as any message from that ID is given
448 self.client.serInit()
451 #formulate response packet
452 SIDhigh = (responseID >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0
453 SIDlow = (responseID & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5
454 #resPacket[0] = SIDhigh
455 #resPacket[1] = SIDlow
456 resPacket = [SIDhigh, SIDlow, 0x00,0x00, # pad out EID regs
457 0x08, # bit 6 must be set to 0 for data frame (1 for RTR)
458 # lower nibble is DLC
459 respondPacket[0],respondPacket[1],respondPacket[2],respondPacket[3],respondPacket[4],respondPacket[5],respondPacket[6],respondPacket[7]]
460 #load packet/send once
461 """@todo: make this only load the data onto the chip and not send """
462 self.client.txpacket(resPacket)
463 self.addFilter([listenID,listenID,listenID,listenID, listenID, listenID]) #listen only for this packet
464 startTime = tT.time()
466 while( (tT.time() - startTime) < time):
467 packet = self.client.rxpacket()
469 print "packet read in, responding now"
470 # assume the ids already match since we are filtering for the id
472 #compare packet received to desired packet
473 if( listenPacket == None): # no packets given, just want the id
474 for i in range(0,repeats):
475 self.client.MCPrts(TXB0=True)
476 tT.sleep(period/1000)
477 else: #compare packets
478 sid = ord(packet[0])<<3 | ord(packet[1])>>5
479 print "standard id of packet recieved: ", sid #standard ID
483 byteIn = ord(packet[idx])
485 compareIn = listenPacket[i]
486 print byteIn, compareIn
487 if( byteIn != compareIn):
489 print "packet did not match"
492 if( packet != None ):
493 self.client.MCPrts(TXB0=True)
494 tT.sleep(period/1000)
495 print "Response Listening Terminated."
498 # def generationFuzzRandomID(self, freq, standardIDs, dbLimits, period, writesPerFuzz, Fuzzes):
499 # print "Fuzzing on standard ID: %d" %standardId
500 # self.client.serInit()
501 # self.spitSetup(freq)
502 # packetTemp = [0,0,0,0,0,0,0,0]
503 # #form a basic packet
505 # #### split SID into different regs
506 # SIDlow = (standardId & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5
507 # SIDhigh = (standardId >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0
509 # packet = [SIDhigh, SIDlow, 0x00,0x00, # pad out EID regs
510 # 0x08, # bit 6 must be set to 0 for data frame (1 for RTR)
511 # # lower nibble is DLC
512 # packetTemp[0],packetTemp[1],packetTemp[2],packetTemp[3],packetTemp[4],packetTemp[5],packetTemp[6],packetTemp[7]]
515 # #get folder information (based on today's date)
516 # now = datetime.datetime.now()
517 # datestr = now.strftime("%Y%m%d")
518 # path = self.DATA_LOCATION+"InjectedData/"+datestr+"_GenerationFuzzedPackets.csv"
520 # outfile = open(filename,'a');
521 # dataWriter = csv.writer(outfile,delimiter=',');
522 # #dataWriter.writerow(['# Time Error Bytes 1-13']);
523 # #dataWriter.writerow(['#' + description])
525 # numIds = len(standardIDs)
527 # while( fuzzNumber < Fuzzes):
528 # id_new = standsardIDs[random.randint(0,numIds-1)]
529 # #### split SID into different regs
530 # SIDlow = (id_new & 0x07) << 5; # get SID bits 2:0, rotate them to bits 7:5
531 # SIDhigh = (id_new >> 3) & 0xFF; # get SID bits 10:3, rotate them to bits 7:0
532 # packet[0] = SIDhigh
535 # #generate a fuzzed packet
536 # for i in range(0,8): # for each databyte, fuzz it
538 # limits = dbLimits[idx]
539 # value = random.randint(limits[0],limits[1]) #generate pseudo-random integer value
540 # packet[i+5] = value
542 # #put a rough time stamp on the data and get all the data bytes
543 # row = [time.time(), standardId,8]
544 # msg = "Injecting: "
545 # for i in range(5,13):
546 # row.append(packet[i])
547 # msg += " %d"%packet[i]
549 # dataWriter.writerow(row)
550 # self.client.txpacket(packet)
551 # #inject the packet repeatily
552 # for i in range(1,writesPerFuzz):
553 # self.client.MCPrts(TXB0=True)
554 # time.sleep(period/1000)
556 # print "Fuzzing Complete"